List Info

Thread: mac os x safari ssl cipher suite
mac os x safari ssl cipher suite
user name
 2006-08-11 14:26:13 
I recently inspected ssl packets from the following apps:

firefox 1.5.0.6
safari 2.0.4 (419.3)
curl 7.15.4 with OpenSSL/0.9.7i

I found that they list the following cipher suites during
the client
hello handshake protocol:

(snippets from ethereal -V output...)

safari (22):
Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
Cipher Suite: Unknown (0xff83)
Cipher Suite: TLS_RSA_WITH_DES_CBC_SHA (0x0009)
Cipher Suite: Unknown (0xff82)
Cipher Suite: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x0003)
Cipher Suite: TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0008)
Cipher Suite: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x0006)
Cipher Suite: Unknown (0xff80)
Cipher Suite: TLS_RSA_WITH_NULL_MD5 (0x0001)
Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
Cipher Suite: TLS_DHE_RSA_WITH_DES_CBC_SHA (0x0015)
Cipher Suite: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0014)
Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
Cipher Suite: TLS_DHE_DSS_WITH_DES_CBC_SHA (0x0012)
Cipher Suite: TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA (0x0011)
Cipher Suite: TLS_DH_anon_WITH_RC4_128_MD5 (0x0018)
Cipher Suite: TLS_DH_anon_WITH_3DES_EDE_CBC_SHA (0x001b)
Cipher Suite: TLS_DH_anon_WITH_DES_CBC_SHA (0x001a)
Cipher Suite: TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 (0x0017)
Cipher Suite: TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA (0x0019)

firefox (20):
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
Cipher Suite: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA (0xfeff)
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
Cipher Suite: TLS_DHE_RSA_WITH_DES_CBC_SHA (0x0015)
Cipher Suite: TLS_DHE_DSS_WITH_DES_CBC_SHA (0x0012)
Cipher Suite: SSL_RSA_FIPS_WITH_DES_CBC_SHA (0xfefe)
Cipher Suite: TLS_RSA_WITH_DES_CBC_SHA (0x0009)
Cipher Suite: TLS_RSA_EXPORT1024_WITH_RC4_56_SHA (0x0064)
Cipher Suite: TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA (0x0062)
Cipher Suite: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x0003)
Cipher Suite: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x0006)

curl (33):
Cipher Spec: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x000039)
Cipher Spec: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x000038)
Cipher Spec: TLS_RSA_WITH_AES_256_CBC_SHA (0x000035)
Cipher Spec: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x000016)
Cipher Spec: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x000013)
Cipher Spec: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x00000a)
Cipher Spec: SSL2_DES_192_EDE3_CBC_WITH_MD5 (0x0700c0)
Cipher Spec: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x000033)
Cipher Spec: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x000032)
Cipher Spec: TLS_RSA_WITH_AES_128_CBC_SHA (0x00002f)
Cipher Spec: SSL2_RC2_CBC_128_CBC_WITH_MD5 (0x030080)
Cipher Spec: TLS_DHE_DSS_WITH_RC4_128_SHA (0x000066)
Cipher Spec: TLS_RSA_WITH_RC4_128_SHA (0x000005)
Cipher Spec: TLS_RSA_WITH_RC4_128_MD5 (0x000004)
Cipher Spec: SSL2_RC4_128_WITH_MD5 (0x010080)
Cipher Spec: SSL2_RC4_64_WITH_MD5 (0x080080)
Cipher Spec: TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA
(0x000063)
Cipher Spec: TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA (0x000062)
Cipher Spec: TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5
(0x000061)
Cipher Spec: TLS_DHE_RSA_WITH_DES_CBC_SHA (0x000015)
Cipher Spec: TLS_DHE_DSS_WITH_DES_CBC_SHA (0x000012)
Cipher Spec: TLS_RSA_WITH_DES_CBC_SHA (0x000009)
Cipher Spec: SSL2_DES_64_CBC_WITH_MD5 (0x060040)
Cipher Spec: TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA
(0x000065)
Cipher Spec: TLS_RSA_EXPORT1024_WITH_RC4_56_SHA (0x000064)
Cipher Spec: TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 (0x000060)
Cipher Spec: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
(0x000014)
Cipher Spec: TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
(0x000011)
Cipher Spec: TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x000008)
Cipher Spec: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x000006)
Cipher Spec: SSL2_RC2_CBC_128_CBC_WITH_MD5 (0x040080)
Cipher Spec: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x000003)
Cipher Spec: SSL2_RC4_128_EXPORT40_WITH_MD5 (0x020080)

Safari only seems to support DES, 3DES, and RC4 ciphers.  My
question
is this: should I be concerned about privacy when *_RC4_* is
the
negotiated suite, i.e., in my tests, safari used
TLS_RSA_WITH_RC4_128_SHA?  Firefox and curl used
TLS_DHE_RSA_WITH_AES_256_CBC_SHA.

Thanks,
Joe

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe
cryptography" to majordomometzdowd.com
mac os x safari ssl cipher suite
user name
 2006-08-12 18:03:36 
On Aug 11, 2006, at 10:26 AM, Joe Cooley wrote:

> I recently inspected ssl packets from the following
apps:
>
> firefox 1.5.0.6
> safari 2.0.4 (419.3)
> curl 7.15.4 with OpenSSL/0.9.7i
>
> I found that they list the following cipher suites
during the client
> hello handshake protocol:
>
> (snippets from ethereal -V output...)
<snip>
> Safari only seems to support DES, 3DES, and RC4
ciphers.  My question
> is this: should I be concerned about privacy when
*_RC4_* is the
> negotiated suite, i.e., in my tests, safari used
> TLS_RSA_WITH_RC4_128_SHA?  Firefox and curl used
> TLS_DHE_RSA_WITH_AES_256_CBC_SHA.

RC4 when used correctly (which I believe it is in TLS)
should not  
concern you much.  What should concern you, however, is that
Apple  
has chosen to include a testing/debug NULL cipher in their
production  
(and completely unmodifiable w/o recompiling
System.framework)  
cipherlist:

> Cipher Suite: TLS_RSA_WITH_NULL_MD5 (0x0001)

This means that a malicious server can negotiate Safari into
using no  
encryption at all, while still providing all the GUI
feedback of a  
secure SSL connection...

For fun, fire off this command and visit localhost:4433 from
both  
firefox and safari, and look at the packet dumps in ethereal
(use any  
snakeoil server.* you have handy):

/usr/local/bin/openssl s_server -cert server.crt -key
server.key -www  
-cipher
'AES:TLSv1:ALL:NULL:!RC4-SHA:!RC4-MD5:!DES-CBC3-SHA:!DES-CB
C- 
SHA:!EXP-RC4-MD5:!EXP-DES-CBC-SHA:!EXP-RC2-CBC-MD5'

I filed a bug with Apple on this back in February, I
encourage others  
to do so as well at http://radar.apple.com. 
Ask them to include the  
AES ciphers while you're at it, it's only been 5 years or
so since it  
was standardized...

Thanks,
Eric
mac os x safari ssl cipher suite
user name
 2006-08-13 22:47:58 
     --
Joe Cooley wrote:
 > Safari only seems to support DES, 3DES, and RC4
 > ciphers.  My question is this: should I be concerned
 > about privacy when *_RC4_* is the negotiated suite,

Nothing wrong with RC4, when used correctly.  Using it
correctly turned out to be harder than we originally
thought - but SSL does use it correctly.


     --digsig
          James A. Donald
      6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
      8PORO+zKpxIcfbxPbIn6QJCWObzpBeAHXq1ayeRH
      4Xom0un81cmvTp/yhXOteppnRKtloRB7itr3E2ASz

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe
cryptography" to majordomometzdowd.com
[1-3]

about | contact  Other archives ( Real Estate discussion Medical topics )